Answered by:

DHCP server stops serving clients

Question

Before I explain the actual problem, let me first briefly introduce you our network:

We have two servers running Windows 2008 R2 SP1 in two different sites, both running AD, DNS, DHCP, WSUS etc.

The servers are automatically shut down every evening and started up every morning. The servers are not running during the weekend (i.e. shut down Friday evening and started only on Monday morning).

The sites are connected over the Internet trough a VPN (OpenVPN was used because our cheap routers wouldn't allow the traffic needed by RRAS). OpenVPN runs on the server, i.e. once the servers are started, the VPN connection is established automatically.

Both servers are domain controllers for the same domain and replicate correctly, once the VPN is established. Before the VPN is up, I get quite a lot of error messages, I think because AD tries to replicate but doesn't find the other DC.

I'm aware that it would be better for the servers and the VPN to always be up, so the different replication errors would not occur. But that's not the main problem, the messages can be ignored.

The big problem that we have is, that the DHCP server on one of the DC sometimes stops serving clients. It's on the DC that was installed first. Every day at startup, we get the following error with Id 1059:
----------------------------------------------------------------------------
The DHCP service failed to see a directory server for authorization.
----------------------------------------------------------------------------Why doesn't it see itself?

It is immediately followed by the information message below, so everything seems OK after all:
----------------------------------------------------------------------------
The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain mada.adesolaire.org, has determined that it is authorized to start. It is servicing clients now.
----------------------------------------------------------------------------

But sometimes we get this error with Id 1046:
----------------------------------------------------------------------------
The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain mada.adesolaire.org, has determined that it is not authorized to start. It has stopped servicing clients. The following are some possible reasons for this:
This machine is part of a directory service enterprise and is not authorized in the same domain. (See help on the DHCP Service Management Tool for additional information).

This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized.

After restarting the DHCP service manually, it works again. This now happened twice on a Monday morning, and only on the DC that was installed first. The other one doesn't event display errors, just some warnings. So I'm asking myself if the server is trying
to refresh some credentials after the long shutdown over the weekend but doesn't success because the VPN isn't up yet and thus stops to serve clients. But again the question:
Why can't it authorize itself, AD runs on the same machine?!

Is there something I can configure in order to avoid this problem? I know our situation is not ideal for for replication (I did the whole configuration mainly to learn things about replication and get some experience), but still I would
rather leave it like that if possible.

I think the only other solution would be to delete the other DC on each server so that each DC "thinks" to be the only DC for the domain.

since the servers are only communicating by VPN the VPN needs to be established fully before they can communicate, so there is most likely a delay between the server communication which is breaking the DHCP service from starting up correctly

Regards,

Denis Cooper

MCITP EA - MCT

Help keep the forums tidy, if this has helped please mark it as an answer

I will try that, although I'm not convinced that this will work, because of the following reasons:

It's true that the VPN is not yet established at startup, but shouldn't the server contact itself if another DNS is not available? I mean there are four addresses in the list, three of them are references to itself.

It does not happen on the second DC.

It does not happen after every startup, until now only on Mondays.

I thought it was recommended to point to another DNS first rather than itself.

Perhaps I miss a point, so please could you explain your thoughts further?

By the way you shouldn't shutdown DC everyday. Maybe You couldn't turn on again.

regards.

MCT | Symantec Trusted Advisor

As I said I'm aware that it's not recommended to shut down a DC every day. The reason why we do it is to save energy, because there is no reason why the server should run on week-ends for example. I have to explain further that we work here in Madagascar,
so power is not always very stable. So it has been a good solution for us to do it that way.

I would like to mention also that the first DC has worked perfectly for almost a year now, it was always started as expected. The second DC was added recently, that's when the DHCP problems started.

If the first IP address is available but DNS has not started up fully you wouldn't necessarily go to the second server in the list.

There is always debate surrounding the DNS entry and if a server should point to itself or something else, but generally it is preffered that the DC talks to itself first for DNS.

if this doesn't work you could try and change the DHCP service to a delayed start rather than automatic, as to me it sounds like it is starting before DNS is fully available.

Regards,

Denis Cooper

MCITP EA - MCT

Hello Denis,

I changed the DNS settings as suggested by you and also put the DHCP on delayed start. It worked fine for the rest of the last week (as it did before modifying the settings), but today Monday the same problem occurs. I really start to think that it's because
the server is shut down during the whole week-end and that after a long down time, something causes the DHCP to stop servicing clients.

As Fatih mentioned, you should not shudown the server frequently, it is really a risk.

Best Regards

Quan Gu

Hello Quan Gu,

Thanks for your reply. I don't see why it is a risk, it worked well for almost a year now! It could always be started up manually if one day it doesn't start up automatically... There are three points that I would like to mention again:

DC1 had no problem whatsoever when it was the only DC controller in our network. The problems started, once the DC2 was installed in the remote site.

DC2 in the remote site is shut down and started up after the same schedule as DC1 and has no errors at all!

And the most astonishing point is that it's always on Mondays that DHCP doesn't serve clients. I think that due to the long shut down over the week-end, the server tries to refresh some credentials or whatever after startup on Monday, and cannot do it because
the VPN is down, so it stops serving clients. But then why does the DC2 not have the same problem???

I does not know OpenVPN, but does the OpenVPN software do create a virtual NIC in your server ? A multihomed DC could create error like you see. As your routing table might not be ok when the DHCP service start, maybe bind the DHCP service to the local NIC
only. Please ignore the tip if it's not a second NIC it create.

Thanks for your reply. There is indeed a virtual NIC in the server, on which OpenVPN listens. But DHCP is only listening on the "real" NIC of the server. This configuration worked well before the second DC was added to the domain, so I think it's not an
OpenVPN problem.

Hmm I really start to think that the only solution would be to remove the other DC from the domain, what a pity.

The server is starting, but the DHCP server is then not serving clients. Yes I tried to put it on a delayed start but it didn't solve the problem. It works fine during the whole week, except on Monday morning after the long shutdown over the weekend.

OK in that case I will try and disable the OpenVPN service and the virtual NIC to see if it solves the problem of the DHCP server. I just want to mention that DHCP never stops working at random moments, but always on Monday when the server is started up
(at least this was the case for the last three weeks). And the second DC hasn't that problem, even with OpenVPN and virtual NIC installed. The only difference between both DC is that one acts as VPN server and the other as VPN client.

It's true that it would be a better solution to use a separate computer for the VPN link, but if it could be done directly on the server, it would be easier. I'll try what you suggested and will post again if there are any news.

Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.